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ABSTRACT 

The most significant merit of the RPPM algorithm is that when the algorithm terminates, the algorithm guarantees 
that the constructed attack graph is correct with a specified level of confidence. We carry out simulations on the RPPM 
algorithm and show that the RPPM algorithm can guarantee the correctness of the constructed attack graph under 1) 
different probabilities that a router marks the attack packets, and 2) different structures of the network graph. The RPPM 
algorithm provides an autonomous way for the original PPM algorithm to determine its termination, and it is a promising 
mean to enhance the reliability of the PPM algorithm. As attackers use automated methods to inflict widespread damage on 
vulnerable systems connected to the network, it has become painfully clear that traditional manual methods of protection 
do not suffice. This paper discusses an intrusion prevention approach, intrusion detection, response based on active 
networks that helps to provide rapid response to vulnerability advisories. 
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INTRODUCTION 

We design a new probabilistic packet marking technology — P3M in this article. Comparing with the traditional 
PPM technologies, our first contribution is a new payload (called as P3M payload below) carrying router address and path 
identification to avoid influencing the normal running of recombining packets and QoS mechanism. Our second 
contribution is a new path identification scheme based on router addresses and hash algorithm. The use of path 
identification makes our probabilistic packet marking technology P3M simple when victim computes DDoS attack paths. 
And path identification also could be used by other network security equipment. 

PACKET MARKING PROCEDURE 

The packet marking procedure aims at encoding every edge of the attack graph, and the routers encode the 
information in three marking fields of an attack packet: the start, the end, and the distance fields (wherein Savage ET 
alohas discussed the design of the marking fields). In the following, we describe how a packet stores the information about 
an edge in the attack graph, and the pseudo code of the procedure in is given in Figure 1 for reference. 

When a packet arrives at a router, the router determines how the packet can be processed based on a random 
number x (line number 1 in the pseudo code). If x is smaller than the predefined marking probability pm, the router 
chooses to start encoding an edge. The router sets the start field of the incoming packet to the router’s address and resets 
the distance field of that packet to zero. 
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Then, the router forwards the packet to the next router. When the packet arrives at the next router, the router again 
chooses if it should start encoding another edge. 

For example, for this time, the router chooses not to start encoding a new edge. Then, the router will discover that 
the previous router has started marking an edge, because the distance field of the packet is zero. Eventually, the router sets 
the end field of the packet to the router’s address. Nevertheless, the router increments the distance field of the packet by 
one so as to indicate the end of the encoding. 

Now, the start and the end fields together encode an edge of the attack graph. For this encoded edge to be received 
by the victim, successive routers should choose not to start encoding an edge, that is, the case x > pm in the pseudo code, 
because a packet can encode only one edge. Furthermore, every successive router will increment the cannot be applied 
under this multiple-attacker environment. 

Packet Marking Procedure! Packet u) 

1, Lei i be a random number in [(L , 1) 

1 If jt < p m > then 

3, write router’s address into wM art and 0 into w.rfctance 

4, else 

5- If jj 1 '.rfttfanrc = 0 then 

6. write router’s address into u .end 

7. end If 

8. increment wdtitim by one 

9. end If 

Figure 1: The Pseudo Code of the Packet Marking Procedure of the PPM Algorithm 




Figure 2: A 14-Router Binary-Tree Network the Upper-Bound Equation 
ROUTER MAINTENANCE 

The assumption that every router has only one outgoing route toward the victim This change may cause the attack 
packets to take more than one path toward to the victim, and the routers in the onstructed graph may have more than one 
outgoing edge. 

Problem of Multiple Victim Routes 
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Originally, without considering routers that have multiple victim routes, the arrival of a new encoded edge will 
add only a new node and a new edge to the constructed graph (note that it is the worst-case execution scenario). However, 
when we allow a router to have multiple victim routes, the arrival of a marked packet that encodes a new edge can result in 
two different scenarios: 

• A new node is added that is, one node plus one edge and 

• No new node is added, which means that the new edge connects two existing nodes. 

m*it ntfwort nlft snfcm nuuHiQ jk tei i 




Figure 3: When the Routers Have More than One Victim Route, the RPPM Algorithm Cannot 
Guarantee the Correctness of the Constructed Graph when the Confidence Level is Larger than 0.59 

The Simulation Environment 

The testing network is a random-tree network with 10 nodes: one victim plus inner outers. However, this time, we 
allow the routers in the testing network to have more than one victim route. Again, the marking probability is set to a 
random numbering [0.1:0. 9], a ditch value see the same for all routers. 

THE SIMULATION RESULTS 

Figure 3 shows the simulation results for both the average-case and the worst-case executions. For small values of 
the trace back confidence level, the successful rates of both execution modes are still over the bottom line. However, the 
successful rate of the worst-case execution falls below the bottom line when the trace back confidence level goes beyond 
0.54, where a she successful rate of the average-case execution falls below the bottom line when the trace back confidence 
level goes beyond 0.59. One can conclude that the PPM algorithm cannot provide a guarantee of the successful rate in 
reconstructing the attack graph when the routers have multiple outgoing routes toward the victim. 

Formulating an Extra Set of Extended Graphs 

The new set of extended graphs is defined as follows 
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Figure 4: An Illustration of the Extended Graph with the Support of Multiple Victim Routes 
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Figure 5: With the Support for Multiple Victim Routes, the RPPM Algorithm Can 
Provide the Guarantee of the Correctness of the Constructed Graph 

Simulation: Support for Multiple Victim Routes 

Shown in Figure 5. In this figure, the PPM algorithm can guarantee the correctness of the constructed graph, 
again, with the support of multiple victim routes. Technically speaking, the introduction of the extra set of extended graphs 
actually increases the value of the TPN. As the TPN increases, the successful rate therefore increases 

TPN GENERATION 



p r (Q. ► Oi j ) 

We ’ ‘ ' ' J ' as the probability that the rectified graph reconstruction procedure proceeds from state Ci 

to state Ci+1 , with the TPN set to 71 , and we name this probability the state-change probability from Ci to Ci{)l . In other 
words, it is the probability that the victim receives a new edge before the number of collected marked packets is larger than 
the TPN 71. Since the probability that the PPM algorithm that returns a correct constructed graph is equivalent to the 
probability that the RPPM algorithm makes a transition of n - 1 steps from states Cl to Cn , mathematically, we have the 
following: 



n-l 

P(comtructed graph is correct) = n pm, - 

j=i 

Then, our claim is correct, given that the product of the state-change probabilities from states Cl to Cn should be 
greater than P A and is given by 
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n — Oj+ 1) > f>*. 

jr=a 

For the sake of further presentation, we transform the above equation as follows: 

p-. (C, - G+i) > Where JC,_, = J] P,.\C 3 -* Cj +t ). 

* 1 }=l 

( 8 ) 

Xi-1 in (8) is the product of the state-change probabilities of the past states of the rectified graph reconstruction 
procedure, and we named it the accumulated state-change probability at state Ci . 

Termination Packet Number Derivation 

According to the previous section, we know that the TPN at each connected state can be found by (8), which is 
expressed in terms of the state-change probability. In this section, we derive the TPN by deriving the state-change 
probability with the following steps: 

• To recall, the state-change probability is the probability that the constructed graph of state Ci evolves into the 
constructed graph of state Ci+1. Hence, the first step in calculating the state-change probability is to find all the 
graphs that could possibly be the next constructed graph, and we name this set of graphs the extended graphs. 

• In the second step, for each extended graph Ge, we find the probability that the current constructed graph becomes 
the extended graph Ge . As a matter of fact, the above probability is the state-change probability from Ci to Ci+1, 
conditioned that the extended graph Ge is the next constructed graph, and we name this the conditional state- 
change probability. 

• From the conditional state-change probability, one can find the state-change probability (and, thus, the TPN) 
through the definition of the condition probability. Nevertheless, because the calculation of the exact TPN violates 
the basic assumptions of the traceback problem, the upper-bounded TPN would alternatively be derived, and the 
relationship between the exact TPN and the upper-bounded TPN will be presented. 
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Figure 6: An Illustration of the Concept of the Extended Graph 

RE CONSTRUCTION PATH 

The computational burden lies mainly on the procedure of path reconstruction. Reducing the total number of 
marked packets required for path reconstruction is therefore critical. First attempt to find the optimal marking probability, 
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then to enhance the marking mechanism, and finally to study the possibility of “reducing” the path length. 

Denote k as the number of attack paths to the victim v. For path / (1 <= j <= k), the number of routers between the 

p ! pi 

attack source and v is dj. Let (m) be the marking probability of router i (1 <= i <= df) along path j, and ^ (v) be the 

rj [ rj L . ki [ 

marking probability of router i along path j perceived by v. J (v) may be different from ^ (m), e.g., for PPM (m) = p 












and ^ (v) = p(l- p) u ' . Denote Nj as the number of packets traversing along path j, and b J as the number of packets 

marked by the ith router along path j and received by v. In other words, those packets initially marked by the ith router but 

Mi 

are remarked by any subsequent router are not counted into -• (v) Denote M [j as the number of packets marked by any 

Ml 

router along path j and received by v. Clearly, the expectations of and M j are respectively. 



E[A^} = A 



( 1 ) 



and 



E[M f \ = E jF AfJ 1 E l M ‘A 

_ I l J J 1 - I 



- Nj 

< ] 

The Number of Marked Packets for Path Reconstruction 

• The expected values of the total number of marked packets along path j 



( 2 ) 



in PPM. //(d) =p(l - pf r \ From (2) we obtain 



( 3 ) 



• Probability of receiving at least one marked packet from each routerln PPM, since each router conducts marking 
independently, therefore 

P{M) > 1 ;M] > 1 : • • ■ ; /W/ > 1} 

(4) 

That is, 
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P{Af* ^ 1 ; ^ 1 : ; M d / ^ 1 > 

dj 

= ][( I - = 0» 

j= ] 

= fid - [1 -P‘j O)]"0- 

j= ] 

Since pj.(w) < ^(c) < * * • < pP(v), 

1 - [1 < 1 - 1 1 < •*• 

< 1 - [1 ~ P, 1 i»f '■ 

Combining with (5), we obtain 

P{M) > \,M) 2 * 1 2 ' 1 } 

< (1 - [1 -pf(v)) Ni ) dj 

= (!-[! ~p\ Ni ) di - 

Inequality (7) holds for any p (0 < p < 1). On the other hand, the maximum value of (5) can be obtained by taking 
the derivative of (5) with respect 

to p, resulting in 

1 

p- (8) 

Thus, the maximum value of (5) can be reached if (8) is satisfied. 

CONCLUSIONS 



( 5 ) 



( 6 ) 



In this work, we have shown that there are some problems in PPM algorithm: the overwritten problem, limited 
marking field, low accuracy and so on. Dynamic probabilistic packet marking has solved these problems by using dynamic 
probability and fragment-reassembly. Meanwhile, using the expected number of required marked packets EV 2 X as the 
termination condition is not sufficient Path reconstruction is the fundamental goal of packet marking. Reduced false 
positives. High false positives are actively suppressed due to the above improvements. Effectiveness to handle large-scale 
DDoS attacks which is dominant in today’s Internet. 
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